0

I'm making a simple sign up/in form for a school assignment. for some reason I can't get it to create a new column in my current table. All of the information for the $_Get is coming up properly. I imagine its a syntax error i'm not seeing. Any help would be great. Thank you.

 if ( $_GET['action'] == "create" )

    {

        print('test');
        // -----------------------
        // PERFORM DATABASE UPDATE
        $fn = $_GET['fn'];
        $ln = $_GET['ln'];
        $id = $_GET['id'];
        $user = $_GET['user'];
        $tel = $_GET['tel_num'];
        $email = $_GET['email'];
        $bday = $_GET['birthday'];
        $password = $_GET['password'];
        $address = $_GET['address'];

        print('test1');

        mysql_select_db("advweb2");


        $sql="INSERT INTO `account` (`user`, `password` , `email` , `first_name` , `last_name` , `address` , `tel_num` , `birthday`)
        VALUES ('$user', '$password', '$email', '$fn', '$ln', '$address', '$tel', '$bday')"; 
        print_r($sql);



        print("<div style='color:green'>update successful</div>");

        // -----------------------

        $action = "signin";
    }
tadman
  • 208,517
  • 23
  • 234
  • 262
RoosterSauce
  • 41
  • 4
  • You need to wrap the $sql variable in a mysql_query() function for it to actually run the query, at the moment you just print it out and don't actually process it. This is, provided that you have set the correct values to connect to the database, since there's no evidence of that in your code. – Karl Mar 27 '14 at 17:12
  • 5
    When I want a query to run I generally find it useful to actually run the query. :I – Sammitch Mar 27 '14 at 17:13
  • +1 for that @Sammitch, haha. Basically, you will need to execute the query. – iamsleepy Mar 27 '14 at 17:15
  • 2
    @Karl Although I completely agree with your comment, you should *not* suggest using `mysql_query`, even though he uses it himself. The `mysql` extension is deprecated, and should _not_ be used anymore. Instead it would be better to suggest the use of [PDO](http://www.php.net/PDO) or [MySQLi](http://www.php.net/mysqli) for this. – Tularis Mar 27 '14 at 17:16
  • 1
    @Tularis Indeed it is, but for the purpose of his "school assignment" I didn't think it was worth pointing it out. – Karl Mar 27 '14 at 17:17
  • @Karl good point, hadn't noticed it was just for a school assignment ;) – Tularis Mar 27 '14 at 17:18
  • @Tularis, Hey, we're only human :) – Karl Mar 27 '14 at 17:18
  • Teaching `mysql_query` is really a bad idea, that interface is so awful it's being removed from PHP. – tadman Mar 27 '14 at 18:21

3 Answers3

0

Please don't use mysql_query, switch to mysqli or PDO instead.

$dbh = new PDO("mysql:host=$host;dbname=$dbname", $user, $pass);

$stmt = $dbh->prepare("INSERT INTO REGISTRY (name, value) VALUES (:name, :value)");
$stmt->bindParam(':name', $name);
$stmt->bindParam(':value', $value);


$name = 'one';
$value = 1;
$stmt->execute();

$dbh = null;
WinterMute
  • 519
  • 3
  • 9
0

You need to execute the query.

You should be using MySQLi or PDO as detailed here as mysql_query is deprecated.

Example with mysqli:

<?php
$mysqli = new mysqli("localhost", "my_user", "my_password", "world");

$stmt = $mysqli->prepare(
  "INSERT INTO `account` (`user`, `password` , `email` , `first_name` , `last_name` , `address` , `tel_num` , `birthday`)
    VALUES (?, ?, ?, ?, ?, ?, ?, ?)"
);
$stmt->bind_param('ssssssss', $user, $password, $email, $fn, $ln, $address, $tel, $bday);
$stmt->execute();

/* ... */

$stmt->close()
?>

You need to make sure you clean your $_GET variables before inserting into the database to prevent SQL injection. A good read: how to prevent SQL injection.

Community
  • 1
  • 1
Tom
  • 1,068
  • 2
  • 25
  • 39
  • This worked perfectly. Yeah I forgot to run the query. Oops. that's what schools for. – RoosterSauce Mar 27 '14 at 17:33
  • When using `mysqli` you should be using parameterized queries and [`bind_param`](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. – tadman Mar 27 '14 at 18:16
0

Use Mysqli or PDO as explained by others but if you insist execute your query like this:

$sql=mysql_query("INSERT INTO `account` (`user`, `password` , `email` , `first_name` , `last_name` , `address` , `tel_num` , `birthday`)
        VALUES ('$user', '$password', '$email', '$fn', '$ln', '$address', '$tel', '$bday')");

Because You prepared query and assigned it to the variable but for missed to execute it.

user2009750
  • 3,169
  • 5
  • 35
  • 58